- From: Donald E. Eastlake 3rd <dee@cybercash.com>
- Date: Wed, 3 Jan 1996 21:41:29 -0500 (EST)
- To: Larry Masinter <masinter@parc.xerox.com>
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
On Wed, 3 Jan 1996, Larry Masinter wrote: > I'm just trying to figure out how to deal with 'Digest Authentication' > in the face of claims that the mechanism has well known holes and > limitations. Here are the procedural options, as far as I can see > them: > > 1- Submit as Proposed standard as part of HTTP/1.1 > 2- Submit as Proposed standard as a separate document > 3- Submit as Informational, as part of HTTP/1.0 > 4- Submit as Informational, as a separate document > 5- Don't handle as part of IETF > > The problem with options 1 and 2 is whether such Proposed Standards > would have a chance of actually making it to Standard without change. > I don't think this will work out: the standards track really does > require us to propose solutions that don't have major holes, and if > we're not interested in fixing the known problems, trying to move > along standards track is inappropriate. I can't see anything wrong with having a spectrum of solutions that meet a spectrum of threat environments. Security need not be perfect to be useful. > The problem with option 3 is that it would delay the (already late) > HTTP/1.0 spec. > > So, I'm leaning toward option 4 or 5. With option 4, it is likely that > if you submit it in the current form, the IESG would either add or > require the authors to add appropriate disclaimers as to how Digest > Authentication might not add significant additional security above and > beyond Basic Authentication. Seems only reasonable to tell people what they are getting with an autentication scheme but the judgement that its effectivley the same as Basic in strength in only true for cerain threat environments. > Is this agreeable? I'd like to get the 'Digest Authentication' item > out of its currently stalled status, and move forward on this one way > or another. If you would like standard conformant software to include the feature, include it in the standard. Donald ===================================================================== Donald E. Eastlake 3rd +1 508-287-4877(tel) dee@cybercash.com 318 Acton Street +1 508-371-7148(fax) dee@world.std.com Carlisle, MA 01741 USA +1 703-620-4200(main office, Reston, VA)
Received on Wednesday, 3 January 1996 18:48:11 UTC